[opensuse] A question about errors in logs
Guys, I been doing a search on net for common log errors that show attacks. I am working on a script to put information from my logs to check for attacks, here are three I got. Does anyone know were I can find more, or can you recommend a string for me to search for? "for SSH attacks"; `grep 'Invalid user' /var/log/messages | awk '{ print $10 }' | grep '[0-9]' | sort | uniq` ; "for Pop attacks..."; `grep "\-ERR \[AUTH\]" /var/log/mail | awk '{ print $9 }' | sed 's/(//g' | sed 's/)://g' | sort | uniq` "for Storm Worm"; `grep "smtpd_peer_init" /var/log/mail | awk '{ print $8 }' | sed 's/://g' | sort -u` "for Spammer checking accounts" grep 'Recipient address rejected' mail.log | awk '{ print $10 }' for ftp grep -i 'no such user' /var/log/proftpd/proftpd.log | awk '{ print $7 }' | cut -d\[ -f2 | cut -d\] -f1 | sed 's/::ffff://g' |sort | uniq I been getting hit real hard from China and Korea lately, and I know if they are hit me on Mail, ssh, and ftp. They got to be hitting me in other areas. -- ---------------------------------------- Discover it! Enjoy it! Share it! openSUSE Linux. ----------------------------------------- openSUSE -- http://en.opensuse.org/User:Terrorpup openSUSE Ambassador openSUSE Member skype -- terrorpup twitter -- terrorpup friendfeed -- http://friendfeed.com/terrorpup Come join me at the Atlanta Linux Fest, September 19th, 2009 http://atlantalinuxfest.org/. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 16 September 2009 06:00:21 pm Chuck Payne wrote:
I been getting hit real hard from China and Korea lately, and I know if they are hit me on Mail, ssh, and ftp. They got to be hitting me in other areas.
Excellent work Chuck! (post the script when you have it ready) A couple of more tips: [[[ #1 all time tip ]]] Move ssh to a high port! grep Unassigned /etc/services and then take your pick edit /etc/services and comment out the existing ssh entries for port 22 and then duplicate the ssh entries on whatever port you choose NOTE: EDIT YOUR FIREWALL SETTINGS TO OPEN UP THE NEW PORT FOR SSH BEFORE YOU RESTART SSH IF YOU ARE WORKING FROM A REMOTE HOST OR YOU ARE --- SCREWED!!! edit /etc/ssh/sshd_config and change: #Port 22 Port 8302 Next, on hosts that will access ssh on the box that has ssh on the high port, either: (a) edit the system wide /etc/ssh/ssh_config and add the new host/port definition (Host on one line followed by Port on the next line) and it will be available for all users. eg: Host myhost.3111skyline.com myhost Port 8302 (b) if you want to limit access to yourself or a few users, just create a ~/.ssh/config file with the same Host/Port entries on your workstation or the workstations for each user who will access the box where ssh was moved to the high port finally, rcsshd restart Then just ssh as usual. You will have no more ssh attempts from the little weasels trying to get into your box showing up in your log file. Note: you will still need to specify the port information for sftp in kde4. For some reason it doesn't respect the ssh_config or ~/.ssh/config files. #2 limit mail service to IMAPS (dovecot with self-signed certificates works fine) #3 turn off anonymous ftp. Disable ftp completely until you need it. (ssh into the box and turn it on if you only use it every once and a while) #4 Use your router to close all ports except those that are needed and then use port forwarding to limit traffic on the open ports to a single host. (this works well for turning ftp off/on as well) It's usually called port forwarding on Linksys and other consumer cable/dsl routers. Let me know if you have any more tips as well. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
On Wednesday 16 September 2009 06:00:21 pm Chuck Payne wrote:
I been getting hit real hard from China and Korea lately, and I know if they are hit me on Mail, ssh, and ftp. They got to be hitting me in other areas.
Excellent work Chuck! (post the script when you have it ready)
A couple of more tips:
[[[ #1 all time tip ]]] Move ssh to a high port!
grep Unassigned /etc/services and then take your pick
edit /etc/services and comment out the existing ssh entries for port 22 and then duplicate the ssh entries on whatever port you choose
NOTE: EDIT YOUR FIREWALL SETTINGS TO OPEN UP THE NEW PORT FOR SSH BEFORE YOU RESTART SSH IF YOU ARE WORKING FROM A REMOTE HOST OR YOU ARE --- SCREWED!!!
edit /etc/ssh/sshd_config and change:
#Port 22 Port 8302
Next, on hosts that will access ssh on the box that has ssh on the high port, either:
(a) edit the system wide /etc/ssh/ssh_config and add the new host/port definition (Host on one line followed by Port on the next line) and it will be available for all users. eg:
Host myhost.3111skyline.com myhost Port 8302
(b) if you want to limit access to yourself or a few users, just create a ~/.ssh/config file with the same Host/Port entries on your workstation or the workstations for each user who will access the box where ssh was moved to the high port
finally, rcsshd restart
Then just ssh as usual. You will have no more ssh attempts from the little weasels trying to get into your box showing up in your log file.
Note: you will still need to specify the port information for sftp in kde4. For some reason it doesn't respect the ssh_config or ~/.ssh/config files.
#2 limit mail service to IMAPS (dovecot with self-signed certificates works fine)
#3 turn off anonymous ftp. Disable ftp completely until you need it. (ssh into the box and turn it on if you only use it every once and a while)
#4 Use your router to close all ports except those that are needed and then use port forwarding to limit traffic on the open ports to a single host. (this works well for turning ftp off/on as well) It's usually called port forwarding on Linksys and other consumer cable/dsl routers.
Let me know if you have any more tips as well.
Good set of tips - I also run blockhosts from http://freshmeat.net/projects/blockhosts/ and block all traffic from hosts published in http://www.spamhaus.org/drop/drop.lasso -- --Moby They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Wed, 16 Sep 2009, Chuck Payne wrote:
Guys,
I been doing a search on net for common log errors that show attacks. I am working on a script to put information from my logs to check for attacks, here are three I got. Does anyone know were I can find more, or can you recommend a string for me to search for?
"for SSH attacks"; `grep 'Invalid user' /var/log/messages | awk '{ print $10 }' | grep '[0-9]' | sort | uniq` ;
awk '/Invalid user/ && $10 ~ /[0-9]/ {print $10;}' \ /var/log/messages | sort -u
"for Pop attacks..."; `grep "\-ERR \[AUTH\]" /var/log/mail | awk '{ print $9 }' | sed 's/(//g' | sed 's/)://g' | sort | uniq`
awk '/-ERR \[AUTH\]/ { gsub("(","",$9); gsub("):","",$9); print $9; }' /var/log/mail | sort -u
"for Storm Worm"; `grep "smtpd_peer_init" /var/log/mail | awk '{ print $8 }' | sed 's/://g' | sort -u`
awk '/smtpd_peer_init/ { gsub(":", "", $8); print $8; }' \ /var/log/mail | sort -u
"for Spammer checking accounts" grep 'Recipient address rejected' mail.log | awk '{ print $10 }'
awk '/Recipient address rejected/ { print $10; }' mail.log
for ftp
grep -i 'no such user' /var/log/proftpd/proftpd.log | awk '{ print $7 }' | cut -d\[ -f2 | cut -d\] -f1 | sed 's/::ffff://g' |sort | uniq
awk 'BEGIN { IGNORECASE=1; } /no such user/ { $7 = gensub(/^.*\[([^]]*)\].*$/,"\\1",1,$7); gsub("::ffff:","",$7); print $7; }' /var/log/proftpd/proftpd.log | sort -u or even easier: awk 'BEGIN { IGNORECASE=1; FS="[][ ]";} /no such user/ { gsub("::ffff:","",$10); print $10; }' /var/log/proftpd/proftpd.log | sort -u HTH, -dnh -- Bug: An elusive creature living in a program that makes it incorrect. The activity of "debugging," or removing bugs from a program, ends when people get tired of doing it, not when the bugs are removed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Chuck Payne -
David C. Rankin -
David Haller -
Moby